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Any two-party cryptographic primitive can be implemented using quantum communication under 
the assumption that it is difficult to store a large number of quantum states perfectly. However, 
achieving reliable quantum communication over long distances remains a difficult problem. Here, we 
consider a large network of nodes with only neighboring quantum links. We exploit properties of this 
cloud of nodes to enable any two nodes to achieve security even if they are not directly connected. 
Our results are based on techniques from classical cryptography and do not resort to technologically 
difficult procedures like entanglement swapping. More precisely, we show that oblivious transfer can 
be achieved in such a network if and only if there exists a path in the network between the sender 
and the receiver along which all nodes are honest. Finally, we show that useful notions of security 
can still be achieved when we relax the assumption of an honest path. For example, we show that 
we can combine our protocol for oblivious transfer with computational assumptions such that we 
obtain security if either there exists an honest path, or, as a backup, at least the adversary cannot 
solve a computational problem. 



Quantum communication allows us to achieve crypto- 
graphic security without relying on unproven computa- 
tional assumptions. Two nodes, Alice and Bob, can es- 
tablish a secure key using quantum key distribution PQH], 
and, moreover, solve any two-party cryptographic prob- 
lem even if they do not trust each other in the noisy- 
storage model [3- 5 . Well-known examples of such prob- 
lems include secure identification [B] , as well as electronic 
voting and secure auctions. More generally, Alice and 
Bob wish to solve problems where Alice holds an input x 
(eg. the amount of money she is willing to bid for an item 
sold by Bob) and Bob holds an input y (e.g. his mini- 
mum asking price) , and they want to obtain the value of 
some function f(x,y) (e.g. output no if x < y, and x 
otherwise) as depicted below. In this setting, there is no 
outside eavesdropper but Alice or Bob themselves may 
be dishonest. Security thereby means that Alice should 
not learn anything about y and Bob should not learn 
anything about x, apart from what can be inferred from 
the value of f(x,y) [7]. 
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Unfortunately, quantum communication over long dis- 
tances poses a formidable problem. At present, quantum 
key distribution has been achieved over a distance of at 
most 145km in fiber [8] or 144km in freespace [9J HP] . 
In addition, having a direct communication link between 
any two nodes that may wish to communicate is an infea- 
sible problem even when it comes to classical communi- 
cation. Instead, we have networks of nodes, such as the 
present day internet, in which only some nodes are di- 
rectly connected, but are willing to relay communication 
for other nodes who do not share a direct link. Typically 



it is easy to connect two nodes who are physically close. 
In order to achieve longer distances, many forms of quan- 
tum repeaters have been proposed in order extend the 
range of quantum communication to obtain a quantum 
version of the internet [HI [12] . Broadly speaking, quan- 
tum repeaters used in key distribution come in two vari- 
ants: in the first, the nodes along the path between Alice 
and Bob are trusted, and we perform quantum key dis- 
tribution between each two neighbours. This form of re- 
peater is known as trusted relay and was for example used 
in the network of SECOQC [13] . The second method is to 
have the intermediary nodes create entanglement, allow- 
ing Alice and Bob to create entanglement between them 
using the concept of entanglement swapping |14j . This is 
clearly more desirable than relying on trusted relays, but 
technologically very difficult to achieve especially when 
there are many intermediary nodes. Many experiments 
have been done over the last twelve years [TBT - fTT] . but 
still we are far from using this technology for QKD [13] . 
and similarly for the case of two-party computation in 
the noisy-storage model. What both of these approaches 
have in common is that they first try to create the analog 
of a point-to-point link between Alice and Bob to solve 
the final cryptographic task. 

Here, we take a novel approach using techniques from 
classical cryptography to bridge the potentially large 
physical distance between Alice and Bob. Concretely, 
we for the first time consider the case where any two 
nodes that are directly connected by a (quantum) com- 
munication link can securely solve the universal crypto- 
graphic problem of oblivious transfer (OT), which in turn 
enables them to solve any two-party cryptographic prob- 
lem [15] . Implementations of such protocols (link-OT) 
can be found in noisy-storage model [SHSj. Any node in 
the network may behave honestly, or be dishonest in the 
sense that it will collaborate with the dishonest Alice or 
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FIG. 1: if any two nodes with a direct link can perform oblivious 
transfer, then Alice and Bob can solve any two-party cryptographic 
problem as long as there exists a path from Alice to Bob (e.g., 3 and 
4) along which all intermediary nodes arc honest, or the cheating party 
cannot solve a computational problem efficiently. 



Bob. A dishonest node also has full control over the com- 
munication links attached to it, making it more powerful 
than for example the eavesdropper in QKD who only has 
access to the communication link and not to any of the 
individual labs. 

Results We first provide a simple protocol for obliv- 
ious transfer between Alice and Bob, who do not share a 
direct quantum link, that is secure, as long as all nodes 
along one of the paths from Alice to Bob are honest (path- 
OT). We will refer to this path as an honest path from 
Alice to Bob, which is in flavor similar to recent exten- 
sions to the idea of trusted relays for QKD [19] , However, 
we prove that this is in fact all we can hope to achieve 
for secure two-party computation without any additional 
resources: Given only the resource of link-OT and clas- 
sical communication, no protocol between Alice and Bob 
can be secure without the existence of an honest path. 
Furthermore, we show that link-OT is in fact a necessary 
condition for any protocol to be secure, i.e., having access 
to a large network of nodes does not allow us to solve the 
problem of oblivious transfer on its own [27] . 

Then, we successively relax the assumption of an hon- 
est path. First, since relying on an honest path alone 
may still be rather unsatisfactory, we show that we can 
add a security backup in the sense that our protocol can 
be made secure if there is either an honest path, or at 
least the dishonest node cannot break a computational 
assumption. We then show that the assumption of the 
honest path can be relaxed if each pair of nodes are given 
a classical shared key for free, and finally that a non- 
trivial notion of security is still achievable for a node, 
even if everyone else in the network is dishonest. 

Our results open the door for extending implementa- 
tions of oblivious transfer in the noisy-storage model to 
large distances similar to the case of QKD [15] . 



THE PROTOCOL 

Let us first explain the problem of oblivious transfer 
(OT) [20] ; a formal definition can be found in [4]. Alice 
(the sender) holds two input strings s ,si € {0, l} 1 [2"5] 
and Bob (the receiver) holds a choice bit c € {0,1}. If 
both nodes are honest, Bob should receive the input of his 
choosing, s c , at the end of the protocol. If Bob is honest, 
then our goal is to ensure that whatever attack Alice may 
mount, she can nevertheless not gain any information 
about c. Conversely, if Alice is honest, we want that a 
dishonest Bob is unable to gain any information about 
at least one of Alice's inputs, si_ c . Whereas oblivious 
transfer by itself may seem like a rather obscure task, it 
has in fact been shown that Alice and Bob can use it 
to solve any other cryptographic problem securely [18] . 
Below we use OT((so, si), c) to indicate that we use a 
link-OT protocol as a black box. 

We now provide two protocols, where the first is un- 
conditionally secure for the sender Alice [29] and secure 
for the receiver Bob provided there is an honest path. 
The second has exactly opposite security properties: it is 
unconditionally secure for Bob and secure for Alice pro- 
vided there is an honest path. Let N be the number of 
paths connecting Alice to Bob and denote by v\, . . . ,vn 
the nodes adjacent to Alice on the N possible paths. We 
use '+' and '•' to indicate bitwise addition and multipli- 
cation modulo 2 respectively, and Gr to denote that a 
variable has been chosen uniformly and independently at 
random. 



First, the protocol is correct when both players are 
honest, since Bob computes 

s c = t Cl .i + . . . + t CNiN = s + (s + si) ■ c (1) 

We now argue that the protocol is also secure; details 
can be found in the appendix. Suppose first that Bob 



Protocol 1: 

Input: s ,si G {0,1}'' for Alice, c e {0,1} for Bob 
Output: s c to Bob. 

Bob: Chooses N bits ci, . . . , Cjv &r {0, 1} such that 
c = ci + . . . + cn . He sends Cj to node Vj along 
the j-th path. 

Alice: Chooses N keys ri,...,rjv €r {0, 1} £ such 
that n + ■ ■ ■ + tn = 0. 

Performs OT((£o,i,£i,i), Ci) with to,i = s o + 
r\ and in — s i + r i with node t>i, and 
OT((io,j, ti,j), Cj) with to.j = Tj and t± t j = 
so + s i + r j with nodes V2, ■ ■ ■ ,f jv- 

Intermediary Nodes: Node Vj sends t c ,j to Bob 
along the j-th path. 

Bob: Computes s c — t ci ,i + . . . + t CN ^- 
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is dishonest. Since Alice uses fresh keys in each 

round, and sq and s± are themselves randomly chosen 
bit strings unknown to Bob, Bob would need to retrieve 
at least N + 1 entries t c .j in order to compute both s 
and s\. However, even if Bob is working together with 
all intermediary nodes, he can only learn at most one of 
(to,j,ti,j) from each of the N link-OTs with Alice. Hence, 
Bob learns nothing about one of sq or s% as desired. 

Suppose now that Bob is honest, and there exists an 
honest path between Alice and Bob. Note that Bob ef- 
fectively performs a secret sharing of his input along all 
paths, so that Alice needs all shares in order to recover 
c [21]. However, the share on the honest-path remains 
unknown to Alice. The security of the link-OT ensures 
she cannot use it to gain any information about c either. 

Our second protocol is similar, but with Alice perform- 
ing a secret sharing of her inputs. Let w\, . . . ,wn be the 
nodes adjacent to Bob on the N possible paths. 



Clearly, the protocol is correct if both parties are hon- 
est. The security of the link-OT for the receiver ensures 
that even if a dishonest Alice controls all nodes adjacent 
to Bob, she nevertheless cannot learn c. Finally, the pro- 
tocol is secure against a dishonest Bob, assuming that 
there exists an honest path: In this case, at least one of 
the shares s j or Sij remains unknown to Bob, since they 
are securely transmitted to node Wj via the honest path, 
and the link-OT protocol between Wj and Bob is secure 
for the sender. Hence, he cannot learn both inputs sq, Si- 

One may wonder whether we could have constructed a 
path-OT protocol without relying on the existence of a 
link-OT protocol, which is impossible to obtain without 
assumptions However, it is easy to see that the 

existence of any path-OT protocol would imply a secure 
link-OT protocol between two directly connected parties, 
Anne and Bill: First, Anne picks a path from Alice to 
Bob in the original setting. Then Bill picks a path from 
Bob to Alice. The remaining paths they split arbitrarily. 
Now Anne acts as Alice would and in addition simulates 
the action of all nodes in the paths assigned to her. Bill 
also simulates the actions of Bob together with all nodes 
in the paths assigned to him. Clearly, no matter who will 
be dishonest, we are always in the setting where there is 



an honest path in the original protocol, as one path is 
always simulated by someone being honest. This means 
that we cannot hope to achieve OT in the honest-path 
model without additional assumptions either |22j . 

SECURITY WITHOUT AN HONEST PATH 

However, one might still hope that given such a strong 
primitive as link-OT we might be able to achieve security 
using only classical communication, even without the as- 
sumption of an honest path. Unfortunately, it turns out 
that an honest path is indeed a necessary condition for 
security: If there is no honest path, then there exists a 
subset of corrupted nodes M, such that any communi- 
cation between Alice and Bob goes through them. Intu- 
itively (see appendix for details) this means that either M 
can gain information about c, or else must know enough 
about So and Si to be able to supply Bob with the desired 
output. In the first case, dishonest Alice can learn c from 
M, and in the second dishonest Bob can break security 
by learning information about both of Alice's inputs. 

A security backup: Nevertheless, the assumption of 
an honest path may appear quite strong, and it would be 
useful to have some security guarantees even if this as- 
sumption fails. Fortunately, it is straightforward to adopt 
existing techniques from classical cryptography [531 HI] to 
extend our protocols to be secure if either the honest-path 
assumption holds, or else if the dishonest party cannot 
break a certain computational problem. To this end, we 
combine our protocol with a protocol for classical oblivi- 
ous transfer. OT can be achieved classically under a large 
variety of assumptions. Here, we choose to combine our 
protocol with the protocol of Naor and Pinkas 25 , which 
is secure against a dishonest sender if he cannot break the 
decisional Diffie Helhnan problem (DDH), and uncondi- 
tionally secure against a dishonest receiver. Note that 
this means that just like for our honest-path assump- 
tion, we have unconditional security against one party, 
and security according to either the DDH or the honest- 
path assumption against the other [30]. Using the {3, 2}- 
robust uniform OT-combiner from [241 Theorem 2] we 
hence immediately obtain that there exists an oblivious 
transfer protocol that is secure if either the honest path 
or the DDH assumption holds using two instances of pro- 
tocol 1, and two instances of the OT protocol of [25]. An 
explicit protocol can be found in |24j . 

Secret keys: In the classical model for secure multi- 
party computation one usually assumes that there exist 
private links between all nodes and we are trying to show 
security against subsets of dishonest nodes. Clearly, this 
is a strong assumption as it requires us to establish keys 
over potentially long distances. Nevertheless, it is in- 
teresting to consider a hybrid-model, where there exists 
a complete network of classical private links and also a 
network of quantum links between neighboring nodes al- 



Protocol 2: 

Input: s ,si e {0, l} e for Alice, c £ {0,1} for Bob 
Output: s c to Bob. 

Alice: Chooses N strings sqi, ■ ■ ■ , son &r {0,1}^ 
such that so = Soi + . . . + sojv and similarly 
sh,...,sijv Er {0, l} 1 such that s\ — Sn + 
. . . + sin. She sends bits S(y, sy to node Wj, i.e. 
the j-th neighbour of Bob via the j-th path. 

Bob: Performs OT((soj> Sij), c) with node Wj. Com- 
putes s c = s c i + . . . + s c jv. 
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lowing them to perform link-OT. It is easy to see that 
our protocol can be transformed to achieve security as 
long as one of the neighbours of Alice and Bob is hon- 
est, instead of the entire path being honest: we use the 
private channels to directly communicate with the im- 
mediate neighbours instead of relying on the entire path. 
This easy example shows that allowing link-OT is indeed 
more powerful than what one can hope to gain in the 
classical model of secure multi-party computation. 

No assumptions: Finally, let us consider what hap- 
pens if we allow an arbitrary number of network nodes 
to be dishonest. Curiously, some weak notion of security 
still remains. More specifically, by performing our two 
protocols sequentially with different inputs for Alice and 
Bob in the two executions, we can trivially construct a 
form of path-OT where Alice has four inputs, and Bob 
has two choice bits such that: if everyone is honest, then 
Bob learns two of the four bits, and Alice learns nothing 
about Bob's two index bits. If Alice is honest, but ev- 
eryone else in the network is dishonest, then Bob learns 
three bits, but not all four of them. If Bob is honest, 
but everyone else is dishonest, then Alice learns one of 
the two index bits of Bob, but not both of them. These 
properties follow directly from our previous analysis. 

Note that this weak form of security is still impossible 
classically on a complete network with private links, un- 
less computational assumptions are added. In our model, 
it becomes possible because we added the neighboring 
quantum links and assumed that we can perform short 
distance OT protocols via these quantum links. One can 
turn this weak OT protocol into some weak bit com- 
mitment protocol as well, leading to weak forms of coin 
tossing over long distances. 

CONCLUSIONS 

We have shown security against dishonest Alice (or 
Bob) whenever there is at least one honest path, or the 
dishonest party cannot break a computational assump- 
tion. One can easily extend our protocol to be robust 
against the case where the intermediary nodes may be 
dishonest independently of Alice and Bob, and try to al- 
ter Alice's or Bob's input. In our present protocols this 
is of course possible since they could for example flip one 
of the bits {cj}j. To make the protocol robust we can 
simply use a more advanced secret sharing scheme that, 
similar to an error correcting code, protects against 'er- 
rors' introduced in the secrets [55]. Note that depending 
on our choice of secret sharing scheme, we may require 
more than one honest path to achieve robustness or more 
communciation rounds [31] . 

Our protocols show that two-party cryptographic 
primitives can be implemented over long distances in an 
extremely simple manner. Our result enables us to ex- 
tend the range of protocols in the noisy-storage model in 



a similar way as has been done in QKD [T3] . Clearly, our 
protocols still require a considerable amount of classical 
communication. However, this is technologically much 
easier to achieve than entanglement swapping which of 
course still remains the more desirable solution. The 
quantum operations that the nodes are performing are 
no harder than the ones necessary in the link-OT proto- 
cols, i.e. it suffices that they create and measure BB84 [1 
states [J] . No complicated operations like Bell state mea- 
surements, or memory are required. 
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SECURITY OF PROTOCOL 1 

Whereas we ideally show security using the formal defi- 
nitions for fully-randomized OT [4j, we restrict ourselves 
to the simple arguments below in order to not obscure 
our argument, which is sufficient since our setting is very 
straightforward to analyze. 

Claim 1.1. Protocol 1 forms a secure oblivious transfer 
scheme with unconditional security against Alice, and se- 
curity against Bob whenever there exists an honest path. 

Proof. We first show that the protocol is correct when 
both Alice and Bob are honest. This follows immediately 
by noting that Bob can compute 



Sc = *ci,l + • • • + tc N ,N (2) 

N 

= (s + (s + si) • ci + ri) + y^((s + si) ■ Ci + r 2 ) 

i=2 

= s + (s + si) ■ c = s c . 

We now show that the protocol is secure if Alice is hon- 
est, where we allow all intermediary players and Bob to 
be dishonest. From the security of the link-OT protocol, 
it follows that Bob can learn at most one of Alice's inputs 
from each invocation. In the most general cheating strat- 
egy, Bob can arbitrarily choose values as his input bits to 
the N link-OT protocols. Let d\, d®, . . . , dw denote these 
inputs and let t^ 1; . . . , td Nl N be the inputs of Alice that 
Bob learns. Note that for any choice of Bob's inputs {di}i 
there exists a c £ {0, 1} such that td 1 ,i + . ■ - + td N ,N = s c . 
Moreover, t dl ,i + ■ ■ - + t dN _ u N-i + ti-d N ,N = Si-c- Our 
goal is now to show that Bob cannot gain any information 
about Si_ c . First of all, note that since Alice uses fresh 
keys in each link-OT, and So and s i are themselves 

randomly chosen bit strings unknown to Bob, the val- 
ues of td lt x,--- ,td N ,N and t\^d N ,N are all independent. 
Hence, Bob would need to retrieve all such N + 1 entries 
in order to compute both So and S\, which contradicts 
the security of the link-OT. 

It remains to prove security if Bob is honest. Note that 
Bob effectively performs a secret sharing of his input 

C= ^ C 3 ( 3 ) 

„•• !i V| 

along all paths such that the bit c can only be recovered 
if and only if Alice learns all shares {cj}j. However, 
Alice has no information about the value of Cj on the 
honest-path as links between honest players are secure. 
Furthermore, the link-OT used between Alice and Vj is 
secure for the receiver, and hence we conclude that Alice 
cannot learn c as promised. □ 

NECESSITY OF THE HONEST PATH 

We now prove that an honest-path is a necessary con- 
dition for OT, where we use a weaker definition which is 
implied by the formal ones given e.g. for (fully random- 
ized) oblivious transfer in [4]. Note that this is sufficient 
to prove the impossibility of the more difficult task as 
well. More concretely, the following conditions must hold 
for any protocol that is both correct and secure. Any im- 
possibility proof for a protocol aiming for perfect security 
is rather unsatisfactory since we would be willing to ac- 
cept a very small probability of failure. We hence include 
a security parameter e > which intuitively corresponds 
to the error we are willing to accept. 
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First of all, for any protocol that is correct we must 
have that the probability that honest Bob with input c 
can guess honest Alice's input, s c , satisfies 



Correctness: Pr[s c |_Bo6] > 1 — e 



(4) 



Furthermore, if Alice is honest, then for whatever attack 
Bob may conceive we have that he cannot guess at least 
one of the two inputs 

Security against Bob: 3b Pr{s b \Bob] < ~ +e , (5) 

2 

Finally, if Bob is honest and his input bit is c, then for 
any strategy of dishonest Alice, she is unable to learn 
Bob's choice bit 



Security against Alice: Pr[c|^4/ice] < 



1 



(6) 



To obtain an impossibility proof, our goal is now to 
show that Q, ([5} and ^ can never be satisfied simulta- 
neously for small values of e. That is, we can only hope to 
achieve very imperfect version of oblivious transfer with 
a large error e. 

Claim 1.2. There exists no protocol for oblivious trans- 
fer based on only link-OT and classical communication 
that is secure without an honest path between Alice and 
Bob with security parameter e < 1/4 — l/2 e+2 . 

Proof. If there is no honest path, then there exists some 
subset of potentially dishonest nodes M that separates 
the network into two disconnected components, one con- 
taining Alice and the other Bob. Let us now establish 
some basic properties of the probabilities that Alice, Bob 
or M can learn sq, Si and c in an honest execution of any 
protocol. 

Note that in any protocol, Bob cannot gain more infor- 
mation about Alice's inputs than M can, since all infor- 
mation between Alice and Bob runs through M (wlog we 
can furthermore assume that dishonest Bob would give 
any shared secret keys with Alice to M for free). Hence, 
we have that 



V6 Pr[s b \Bob] < Pr[s b \M] 



(7) 



Similarly, Alice cannot gain more information about 
Bob's input than M can, hence 



Pr[c\Alice) < Pr[c\M] 



(8) 



First, suppose that for an honest execution of any pro- 
tocol the probability that M is able to guess c satisfies 
Pr[c|M] > 1/2 + e. Then, Alice can violate the security 
condition ([6]) by running the protocol honestly with Bob 
and then asking M for a guess of c. Hence, it must hold 
that 



Pv[c\M] < - +e 



(9) 



Second, by the correctness condition Q and equa- 
tion Q, for an honest execution of any protocol, we have 



Pv[s c \M] > 1 - £ 



(10) 



Third, suppose that for an honest execution of any pro- 
tocol, Pr[si_ c |M] > + e. Then, Bob can violate the 
security condition (JsJ by running the protocol honestly 
with Alice and then asking M for a guess for both sq and 
si. Hence, it must hold that 



Pr[ Sl _ c |M] <j t +e 



(11) 



We now show that these conditions imply that whenever 
Bob is honest, there exists a cheating strategy for Alice. 
Alice first chooses two random inputs so,si € {0,1}^, 
and runs the protocol as an honest Alice would do. Af- 
terwards, she picks a random b and asks M, who by def- 
inition will willingly cooperate with any cheating party, 
to send her a guess s b for s b . Note that ( 10 1 and (111 now 



tell us that the probability that M succeeds is very large 
for s c , but extremely small for si_ c . Alice then outputs 
b as her guess for c if M guessed correctly and 1 — b if 
M guessed wrongly. The probability that Alice succeeds 
using this strategy obeys 

Pr[c\Alice] (12) 
= Pr[6 = c] Pt[s c \M] + Pr[b = 1 - c](l - Pr[ Sl _ c |M]) 



1/ x 1/ 1 

>- 2 (l-e) + - 2 (l- ¥ -e) 



1 



(13) 

(1-s-^t)- (14) 
Comparing ( 14 ) with Q concludes our claim. □ 



Note, however, that OT is of course possible if M 
would be fully quantum, and in particular would be able 
to perform entanglement swapping between Alice and 
Bob. 



